Church Account is the primary user account (user name and password) for accessing online Church resources. Church Account was formerly known as LDS Account. This forum is a space to discuss all things related to Church Accounts (registration, account recovery, user experience, vulnerabilities, etc.).

Hi,I'm developing an app/website that requires authentication for local church leaders. I would really rather not force members to have to create an account through my own application, but would like to have members authenticate through an already existing LDS Account. Is this possible through something like OAuth?

Reasons for this are:1. It is more secure as I am not storing their sensitive passwords in my system2. It is convenient for the member to use an existing account vs creating a new account for my app3. I don't really want to authenticate with other services like facebook, etc

If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?

neptunecentury wrote:I would ... like to have members authenticate through an already existing LDS Account. Is this possible through something like OAuth?...If this is not currently possible because of technological limitations, is this something that can be implemented in the near future?

... third-party developers are restricted from using LDS Account, which could give access to membership data. This restriction protects the privacy of membership data (a legal requirement in many countries) and safeguards how membership data is viewed and used.

Although that wiki article is dealing with a different context, the basic principle still holds that the LDS Account can be used only by official Church applications.

Technologies exsist which could be used to allow third parties to use LDS Account single sign on to authenticate users (OpenID) and access a user's data stored on church servers (OAuth) without violating any privacy laws. In the case of OpenID, the response only confirms that the user is authenticated to that particular ID. In the case of OAuth, the user would grant (and could revoke) authorization to read and/or write certain types of data. The key to these technologies is that authentication and authorization occur on the provider's site not on the consumer's site. Unfortunately these technologies are not widely used (To use mint.com with most of my financial accounts, I have to trust it with my passwords; however, on of my accounts has a method similar to OAuth allowing me to grant third party read only access to mint.com without sharing my password). As much as I'd like it, I don't see the church being a pioneer in this type of open development - generally the church is at least as conservative as the majority of financial institutions.

I suppose if its not possible to use LDS Account, I guess the next best thing would be some other Social Media login, but I may just opt to have users register for an account on my app as the idea of using "facebook" for an LDS application just doesn't seem right.

I would suggest offering OpenID sign on - the user chooses their authentication server (Google, Yahoo, Wordpress, and many more proivde OpenID to thier users), but providing your own authentication option (with or without becoming an OpenID provider). The biggest challenge to users wanting to use OpenID is that there are too many sites that want to provide, but not consume, OpenID.

One practical reason for the limitation on using OAuth in LDS Accounts, with the way it's currently set up, is it seems that a user can get more information through their LDS Account than what's actually displayed to them. For example, every once in a while we hear of a bug report where LDS Tools is showing data that a user shouldn't be able to see. The fix is done on LDS Tools, not on the backend server. So, a third-party app could circumvent the policies of who can see what data and show everything to the user.

Samuel Bradshaw • If you desire to serve God, you are called to the work.

With the roll out of tithing on-line, the ante has been upped on what the account can access. If anyone thinks I'd be willing to type a LDS Account login into a non-church owned site, they are sadly mistaken.

Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

sbradshaw wrote:For example, every once in a while we hear of a bug report where LDS Tools is showing data that a user shouldn't be able to see. The fix is done on LDS Tools, not on the backend server.

Maybe the LDS Tools is a quick interim fix. Because if true that sure smells of bad security.

Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.